Diversity for Intrusion Tolerant Systems
Intrusion tolerance is a security and dependability paradigm that has been gaining momentum over the past decade. It lets system designers address both accidental faults and attacks in a seamless manner, which can complement the reach of classical security approaches. Intrusion tolerance assumes that: in part due to their complexity, systems remain to some extent faulty and/or vulnerable; attacks on components can happen and some will be successful; but automatic mechanisms can ensure that the overall system nevertheless remains correct and operational.
In distributed systems, the usual way to deploy intrusion tolerance services is through a middleware layer that manages n server replicas. Replicas perform the operations requested by the users, and rely on distributed protocols of the middleware to carry out coordination and cooperation actions. Given the malicious intelligence behind the expect threats, the protocols have to resist to a wide range of attacks, originating from the network, bad clients and corrupted replicas. The necessary number of replicas varies with system configuration, the baseline being that if one expects a number f of faults or intrusions, then the service should run a minimum of n = 3f+1 replicas.
Intrusion tolerant systems, therefore, can only remain correct if they are able to preserve in every instant a number of corrupted replicas smaller than the f threshold. This is a difficult task because adversaries are always discovering new forms of attack, and it can be exacerbated due to common-mode vulnerabilities. These vulnerabilities occur in all (or in a large subset of) replicas, and once found allow a speedy compromise of the system with minimal effort. Additionally, adversaries learn from past intrusions, which means that even if replicas are recovered, they will be rapidly corrupted unless they are restarted with diverse software (that does not contain the same vulnerabilities).
In this project, we want to investigate ways to obtain and integrate diverse software replica versions in intrusion tolerant systems. In the past, this subject has been mainly overlooked because research in distributed protocols has considered it an orthogonal issue. However, once the actual deployment of systems is considered, it becomes a fundamental problem that is actually quite hard to solve. Firstly, in almost all cases it is unfeasible to build several software versions due to cost, but even if it was possible, it is not clear that the outcome would acceptable (e.g., programmers tend to make similar mistakes). Therefore, one would always need to devise evaluation methods to confirm the vulnerability independence of replicas. Secondly, diversity increases the difficulty of ensuring replica execution determinism, a common assumption in intrusion tolerant systems. In these systems, malicious replica behavior is usually tolerated by running the same operation in all replicas and then by selecting the result which has more than f votes. This quorum might not be attainable because small changes on replicas’ executions can have an impact on the output result. Therefore, mechanisms will have to be devised to address this issue.
Contributions are expected in the following important areas:
Project Name: Diverse – Diversidade para Sistemas Tolerantes a Intrusões
Sponsoring Body : FCT (PTDC/EIA-EIA/100894/2008)
União Europeia – Fundos Estruturais
Governo da República Portuguesa
For problems or questions regarding
this web contact